Project Description

Watchmaker

Applied Configuration Management

Overview

Watchmaker is a Python package that helps bootstrap a vanilla OS image and
apply an OS configuration. Watchmaker itself reads a simple YAML configuration
file, which can be hosted on the local filesystem or on a web server.

Complex configuration management (CM) environments may be layered in as part of
the provisioning framework. Watchmaker includes a default configuration that
will install Salt and a handful Salt Formulas that can be used to harden a
system to DISA STIG standards, as well as integrate with common enterprise
services.

0.6.0

Updates the EL7 stig baseline to manage the FIPS state. The state
defaults to enabled but can be overridden via a pillar or grain,
ash-linux:lookup:fips-state. The grain takes precedence over the
pillar. Valid values are enabled or disabled

ash-windows-formula

Updates the STIG baselines for Windows Server 2016 member servers and
domain controllers with SCAP content from the DISA v1r1 SCAP benchmark
release

join-domain-formula

Fixes an issue when joining Windows 2016 servers to a domain, where the
Set-DnsSearchSuffix.ps1 helper would fail because the builtin
PowerShell version does not work when $null is used in a ValidateSet.
The equivalent value must now be passed as the string, "null"

scap-formula

Adds SCAP content for the Window Server 2016 SCAP v1r1 Benchmark

0.5.1

[Issue #341][PR #342] Manages selinux around salt state
execution. In some non-interactive execution scenarios, if selinux is
enforcing it can interfere with the execution of privileged commands (that
otherwise work fine when executed interactively). Watchmaker now detects if
selinux is enforcing and temporarily sets it to permissive for the duration
of the salt state execution

[Issue #316][PR #320] Improves logging when salt state
execution fails due to failed a state. The salt output is now returned to
the salt worker, which processes the output, identifies the failed state,
and raises an exception with the state failure

join-domain-formula

(Linux) Reworks the pbis config states to make the logged output more
readable

0.4.4

(Linux) Ignores a bad exit code from pbis config utility. The utility
will return exit code 5 when modifying the NssEnumerationEnabled
setting, but still sets the requested value. This exit code is now
ignored

0.4.2

[PR #301] Sets the grains for admin_groups and admin_users so the
keys are named as expected by the join-domain formula

ash-linux-formula

Adds a custom module that lists users from the shadow file

Gets local users from the shadow file rather than user.list_users.
Prevents a domain-joined system from attempting to iterate over all
domain users (and potentially deadlocking on especially large domains)

join-domain-formula

Modifies PBIS install method to use RPMs directly, rather than the
SHAR installer

Updates approaches to checking for collisions and current join status
to better handle various scenarios: not joined, no collision; not
joined, collision; joined, computer object present; joined, computer
object missing

Disables NSS enumeration to prevent PBIS from querying user info from
the domain for every call to getent (or equivalents); domain-based
user authentication still works fine

name-computer-formula

(Linux) Does not attempt to retain network settings, to avoid a bug in
salt; will be revisited when a patched salt version has been released

0.4.1

(EL7) Running watchmaker against EL7 systems will now pin the resulting
configuration to the watchmaker version. See the updates to the two
formulas in this version. Previously, ash-linux always used the content
from the scap-security-guide rpm, which was updated out-of-sync with
watchmaker, and so the resulting configuration could not be pinned by
pinning the watchmaker version. With this version, ash-linux uses
content distributed by watchmaker, via scap-formula, and so the
resulting configuration will always be same on EL7 for a given version of
watchmaker (as has always been the case for the other supported
operating systems).

ash-linux-formula

Supports getting scap content locations from pillar

scap-formula

Updates stig content with latest benchmark versions

Adds openscap ds.xml content, used to support remediate actions

0.4.0

[PR #286] Sets the computername grain with the correct key expected
by the formula

[PR #284] Converts cli argument parsing from argparse to click.
This modifies the watchmaker depedencies, which warranted a 0.x.0 version
bump. Cli and API arguments remain the same, so the change should be
backwards-compatible.

name-computer-formula

Adds support for getting the computername from pillar

Adds support for validating the specified computername against a
pattern

0.2.0

[Issue #234] Stops the salt service prior to managing salt formulas,
to ensure that the filesystem does not throw any errors about the files
being locked

[Issue #72] Manages salt service so the service state after
watchmaker completes is the same as it was prior to running watchmaker. If
the service was running beforehand, it remains running afterwards. If the
service was stopped (or non-existent) beforehad, the service remains
stopped afterwards

[Issue #163] Modifies the user_formulas config option to support
a map of <formula_name>:<formula_url>

[PR #235] Extracts salt content to the same target srv location
for both Window and Linux. Previously, the salt content was extracted to
different points in the filesystem hierarchy, which required different
content for Windows and Linux. Now the same salt content archive can be
used for both